In 2014, a sample of fifty (50) worldwide organizations reported 1,367 data breach events among more than 63,437 network security incidents. These data breaches represent successful cyber-attacks that circumvented, penetrated, or otherwise went unnoticed by organizations with significant existing investments in network security hardware and software. Most are conducted by external parties to the victim organization using malware or hacking techniques, take months to discover, and are typically reported to the victim by a third party. The companies were not “soft targets.” They employed common network security devices and best governance practices.
The current suite of network security products such as firewalls, intrusion prevention systems (IPS), anti-virus software, policy enforcement tools, configuration management tools, and data loss prevention (DLP) systems play a vital role in implementing a defense-in-depth approach to network security. Such security products are capable of blocking much of the lower end malicious activity in the wild when properly used. Indeed, these security products play an important role in breach remediation by providing an existing framework to remove malware from affected systems once it has been discovered and fingerprinted. Yet, these products/tools are lacking in two fundamental areas:
1. Each tool requires additional hardware and software resources and custom integration negating available efficiencies in system overlap.
2. Detection is too slow and limited to previously observed malware/threat actors and such tools are, therefore, ineffective against the more modern threats.
In the first area, traditional defense tools (e.g., IPS/IDS, policy enforcement, CM, DLP, etc.) and more advanced intelligence analysis tools overlap in core functionality for stream assembly, content extraction, data tagging, association, and workflow integration. However, without the ability to leverage this overlap, data integration requires custom implementation resources. A platform is needed to empower multi-faceted analysis leveraging these core capabilities while providing seamless integration with threat intelligence feeds, stand-alone components, and SIEM tools.
In the second area, today's malware detection engines are tuned for certainty. Signatures are written specifically to hit on the malicious software for which they are designed. To address the shortcoming of signature-based systems, defenders are now using sandboxes—carefully controlled virtual environments to execute and examine the behavior of suspect files. While more resilient to changes in malware relative to signatures, sandboxes are simply too slow to keep up with tremendous volume of enterprise network traffic. Since each file can take several minutes to examine, these systems must use pre-filters to decide which files to look at while allowing the rest to pass unexamined. It is typically too costly to build a sandbox large enough to examine all traffic. Pre-filters are little more than signature-based detection mechanisms where the signatures are related to the file metadata or behavioral patterns in the network environment. A pre-filter might look for an emailed file from someone outside the enterprise with a URL linking to the file. These behavioral patterns are just as fragile as signatures and require previous, repeated observation of the behavior. Only a small subset of potential malware is inspected and many potential threats continue untouched.
Even if new malware were to be selected for analysis, most sandbox environments only look for previously observed malicious activity such as changes to the Windows registry. Authors of new malware understand sandbox detectors and have simple methods for evading detection including having the malware sleep for minutes before executing, detecting sandbox network settings, mimicking benign execution, and designing for highly specific computing configurations that sandboxes do not replicate. Both approaches attempt to mitigate their fragile design through broad-based reporting and sharing of malicious signatures. These techniques leave defenders chasing the threat and offer no path to proactive and predictive defense. Existing solutions are too slow and ineffective against the modern threat.
A paradigm shift is needed. Proactive search and discovery of threats using real time non-signature based techniques must supplement antiquated signature and behavior based techniques. Automated identification of threats must reduce the discovery timeline from months to minutes. Defenders must head off an attack before it occurs rather than waiting for someone outside their organization to alert them of a breach.